Post navigation

I use the Check for updates but let me choose whether to install them option, but Firefox hadn’t said anything to me about 16.

So I checked by hand – something I like doing every couple of days, even though it’s not supposed to be necessary – using the About Firefox option.

According to Firefox, I was up to date at 15.0.1.

That left me wondering how come I’d heard about 16.0, so I went to the Systems and Languages Firefox download page, also known as the all versions page. There it was, version 16.0.

So I downloaded 16.0 and installed it over my 15.0.1. A fresh install is hardly any more trouble than an update, so why not be ahead of the curve?

Turns out that there’s a good reason, which couldn’t have been less obvious: 16.0 has been “temporarily removed from the installer page” due to a security hole, documented on Mozilla’s security blog (but not on the regular blog, which seems rather an oversight):

The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. At this time we have no indication that this vulnerability is currently being exploited in the wild.

If, like me, you always go to the all versions page, which is handy if you run more than one operating system, or want to choose a specific language version, you’ll have been offered 16.0 and no other. And if you’ve already upgraded to 16.0, you’d be forgiven for not realising that there’s a security problem at all.

Whether I manually check for updates or go to the default download page, there’s nothing to suggest that I ought to downgrade from 16.0:

To go back to 15.0.1, you have to go to the new download page. That does offer you 15.0.1, to which you’re recommended to downgrade. Until tomorrow, when version 16 should be released and you can upgrade the downgrade of your upgrade:

Confused? Sorry about that.

If you haven’t yet updated from 15.0.1, you’re fine. If you already have version 16.0, grab 15.0.1 from the new link and install it over the no-longer-the-newest 16.0.

Once you’ve downgraded, you’ll get another Hooray! page. This time you will be up to date – for a while, anyway.

And if you’re not yet on either 16.0 or 15.0.1, you probably need to have a little chat to yourself about updating in general.

Although this latest issue reminds us that it’s occasionally problematic to be too far ahead of the curve, it’s always risky to be behind.

Update: When I checked at 2012-10-11T23:53+11, the all versions page had been changed back so every OS version in every language was at 15.0.1.

This is horrible advice. According to http://secunia.com/advisories/50856/ Firefox 15.0.1 has multiple vulnerabilities, and it is considered end-of-life. The right thing to do is not using Firefox at all, until they fix the issue in Firefox 16.

That is a bit harsh. The Mozilla team decided to roll back and they are the experts with regards to this situation. They expect to have a new version of 16 available tomorrow, so it is only a temporary measure.

To be perfectly fair, Secunia doesn't say anything about 15.0.1. They simply lump everything into 15.x, without bothering to indicate what was fixed between .0 and .0.1, which suggests that they aren't precisely tracking the holes in Firefox themselves.

Indeed, as far as I can see, Secunia's advisory is just Mozilla's own information and advice, taken from Mozilla's 16.0 release notes of 09 October 2012, and republished on 10 October 2012.

Ergo, if you accepted Secunia's advice from yesterday to advance to 16.0, you might as well accept Mozilla's advice today to retreat to 15.0.1, as the ultimate source of both pieces of advice seems to be the same – Mozilla.

But if you go to the "new" link, you get offered the default language English (US). How different this is from English (UK) I am not sure – but I suspect it is more different for other languages!

Out of interest have any of the for-profit browser developers ever launched a buggy upgrade, admitted it and back-graded? Should a public back-grade actually give us more confidence in a browser developer?

They probably did test, just just didn't find the flaw until it was too late to avoid eating crow. Vulnerability testing is hard. You have to look at a piece of code, figure out what it does, and then figure out how to use that for evil. Creativity often takes time.